Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

FedEx Customer Data Left Publicly Exposed on Cloud Storage Server

Yet another cloud data leak is discovered, this time it's 119,000 documents with personally identifiable information from the FedEx-owned company Bongo International.

FedEx is the latest company to have inadvertently left personally identifiable information, publicly exposed on a cloud storage server.

On Feb. 15, security firm Kromtech publicly reported that it discovered an un-secured cloud storage repository, which contained 119,000 scanned documents from both U.S. as well as international citizens. The data came from Bongo International which was acquired in 2014 by FedEx Corp.

"Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years," Bob Diachenko, head of communications at Kromtech Security Center stated. "Seems like bucket has been available for public access for many years in a row."

Further reading

The scanned data that was discovered by Kromtech was collected by Bongo, as part of an application process for individuals to to get delivery of mail through an agent. The scanned information included driver's licenses, passports and other forms of security identification. Diachenko stated that it's unknown whether FedEx was aware of the scanned data when it bought Bongo International back in 2014.

What is clear though is that FedEx is now aware of the data and has taken steps to secure it.

"After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure," FedEx stated. "The data was part of a service that was discontinued after our acquisition of Bongo."

FedEx added that it found no indication that any information has been misappropriated and the company will continue its investigation.

Amazon S3 Leaks

The data stored by Bongo was hosted in an Amazon S3 (Simple Storage Service) bucket. The data bucket was apparently not properly configured by Bongo, enabling public access by those who knew where to look for the data.

There are multiple tools and methods available to researchers and attackers alike to find potentially exposed Amazon S3 buckets. One such tools is the open-source AWS BucketDump project, which provides a secure way to look for interesting files in S3 Buckets, according to the project's GitHub project page.

FedEx is certainly not the first, nor will it be the last firm to receive a report that it has somehow left customer information publicly exposed in the cloud. In recent years, multiple sets of security researchers have reported similar incidents. In December 2017, security firm Upguard reported that the information of 123 million Americans was exposed in an Amazon S3 bucket by data analytics firm Alteryx, which is a business partner of consumer credit reporting agency Experian. Other firms that have inadvertently left customer data exposed in the cloud include Accenture and Verizon, among others.

How To Limit the Risk of Cloud Data Leaks

While Amazon S3 cloud data leaks have been often reported, there are a number of steps that organizations can take using Amazon's own tools to limit risk.

In all of the publicly reported Amazon S3 data leaks, the storage bucket was somehow misconfigured, enabling unintended public access. Amazon has multiple technologies available to its S3 users to discover personally identifiable information in S3 storage buckets, as well as to protect that data.

The Amazon Macie service which was first announced in August 2017 is a machine learning technology to help organizations find confidential information that might be stored in their S3 storage buckets. Amazon also provides encryption capabilities for S3 that were announced in November 2017, enabling organizations to encrypt confidential information that is stored in S3 buckest, helping to limit risk of data leakage.